But [Hans] wasn’t interested in stealing value, just in seeing how things work. So he stuck the card in his reader and after looking around a bit he figured out that they use the Atmel AT88SC0404C chip. He downloaded the datasheet and started combing through the features and commands. The cards have a four-wrong-password lockout policy. He calculated that it would take an average of over two million cards to brute force the chip’s stored password. But further study showed that this is a moot point. He fed the default password from the datasheet to his card and it worked.

We know it takes quite a bit of knowledge for the average [Joe] to manipulate these cards at home, but changing the default password is literally the very least the company could have done to protect their system.

I used to teach in a poor SF Bay Area town which always had default passwords in its copiers. 11111. When we were budgeted only 2000 copies per teacher one year, I created several unlimited copier accounts so colleagues and I could make the copies they needed to ensure all students had access to the materials (amazingly, a very real concern among poorer districts even today).

A friend of mine used to have a phone card that would get him free stuff from a certain gas station. He found out by accident, since the phone card looked a lot like his credit card on the face. The dumb bastard got greedy though, and almost got in to a lot of trouble.

Wow – how does that even happen? Too bad banks don’t issue a default PIN until you change it. I bet the designers of that system would still be using 1111 on their ATM cards!
Good thing there are folks out there willing to pressure test these type of designs.

uh, seriously folks this is not a big fail. the reality is most people don’t have the hardware or sophistication needed to break a system like this even though the passwords are left as default and the cards are out-of-box vanilla.

i think the best REAL fail i can think of was those wal-mart gift cards using magnetic strips that contained in plaintext their values encoded on the card with no backend authentication to back them up. man, i know some people printed their own money with that system.

here in the bay area we have a commuter train system called BART. their magstrip cards were among the earliest used for infrastructure on this side of the country, and even since the beginning they have had good overall security on their system — everything is authenticated on their side; even though your card has its value printed on it, the magstrip says something else.

Being a bank employee, I have come to be familiar with some of the regular ATM default admin passwords. Its crazy, just about every gas station I walk into is using a cheap atm with the default password still used. And that’s through a card-services vendor! Absolutely nuts how people don’t change those things.

Perhaps this security hole is limited to Viksler’s location? The Web laundry cards on my campus all have non-default write7 passwords and have all four security fuses blown. Please don’t ask me how I know this. Anyway, I’m wondering if this “fail” might not be all that widespread.